Smali Code Injection

In this post I wanted to demonstrate a simple code injection example in Android. As indicated in previous  posts about reversing java, the method of code execution is same in Android. Whereas Java, the BYTE CODE are SMALI codes here and the executor is Dalvik (recently ART) in Android (not JVM). Here in this post, I will describe shortly how to reverse and inject code in SMALI.

The main steps for code injection are:

  1. Decompile APK to Smali Code
  2. Find the right place to inject the code
  3. Use safe (or unsafe) local variables to inject
  4. Recompile the Smali Code to APK
  5. Generate Signature Key
  6. Sign the Recompiled APK


Decompile APK to Smali Code

Using the tool named APK Tool you can easily decompile APK to its elements. Actually APK is a ZIP compressed file. Which contains Manifest (permissions, activities, services, etc.), all source codes compiled inside DEX (classes.dex), resources (all images, xml elements of UI, sounds, etc.), Libraries (generally native ones), META-INF (public key of the signature).

You can download apk tool from here. Using the following command you can get the APK decompiled.

java -jar apktool.jar d YOUR_APK.apk

Find right place to inject the code

After successful decompilation, a folder will be generated beside the APK. There is a folder named smali there which contains all the classes inside the main DEX file. All of the classes are in Smali format over there. You can use each of them for injecting the code. Smali is the code like here:

In the above example, I put a simple Toast message after the setContentView() method of an Activity.

For making the smali code you can use two methods:

  1. Use smali code instructions. You can this link for more details.
  2. TRICK: Write your code in a separate Android project and make its APK. The use apktool for finding out the smali code of your {injection} code!

 Use safe (or unsafe) local variables to inject

As you see in the above example, I have used v1,v2,v3, … for smali code injection. v_i \;\;\;\;\; i \in {1,2, ... , 16} are the local variables. Android has 16 registers for this purpose which contains the inside the class variables (v) and the parameters (p) of the method we are injecting inside. for example onCreate has two parameters (p0 for this, p1 for Bundle) and some variables (vs). You should use vs for your purpose while do not compromise other vs. If you can add extra locals to your file, then you can use safe variables, if not you should use the defined local variables without compromise other variables.

Recompile the Smali Code to APK

If the injection is correct, you can use the following command to recompile the injected code.

java -jar apktool.jar b THE_DECOMPILED_FOLDER

This will generate an APK inside THE_DECOMPILED_FOLDER/dist folder.

Generate Signature Key

Sign the Recompiled APK

Your email address will not be published. Required fields are marked *


LinkedIn Auto Publish Powered By :